cycbot | 26edb65ebd8068da4a53045b67e82d1e0a9076e344ce51a01110440c17a31cd1

General

Target

JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
Size

171KB
MD5

a5a9d6a811a6ac220c16bdfb9f2784de
SHA1

0cc98d24979c5b3eb8d8bbf9f0b2a1041c829277
SHA256

26edb65ebd8068da4a53045b67e82d1e0a9076e344ce51a01110440c17a31cd1
SHA512

bb459f691f3b12a07e823afc0a83a9c94e700c769506bb814360d63eed47fa2871524f47e3306db3641a5b708d54ba84c7e8f3b19482cc5c3b9613a18167caa7
SSDEEP

3072:6ss0CqwgO/CF1C+b4fotEfG2cX5J3YAndhNuoF2bm2EsqkfcV43EEJcT/21:PsRqfOWUfotEfDcX1DuyAEE2i

Score

10^/10

cycbot backdoor discovery rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3464-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/5880-53-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/5548-125-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/5880-221-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5880-1-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3464-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3464-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3464-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/5880-53-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/5548-125-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/5880-221-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5880 wrote to memory of 3464	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	87
PID 5880 wrote to memory of 3464	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	87
PID 5880 wrote to memory of 3464	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	87
PID 5880 wrote to memory of 5548	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	97
PID 5880 wrote to memory of 5548	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	97
PID 5880 wrote to memory of 5548	5880	JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5880
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a5a9d6a811a6ac220c16bdfb9f2784de.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5548

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\856D.985

Filesize
597B

MD5
64fa6ba236fab8edd52058aa737634d9

SHA1
ba1cfed6588bac552a251c9da31be9752d4a6afb

SHA256
bfa1addee1282c510867018f3fb24c621a2dc47ba2589f12c1f950121e34fe2f

SHA512
9a5b169e593b1949a4d604935bb6618cdc920819b632d666bfec7446804c7b5b30ff6cf584c48003d1650ea0fdf41bbffd19dc02b36d61e0abbed7bb495b372e

Download Submit
C:\Users\Admin\AppData\Roaming\856D.985

Filesize
1KB

MD5
a67d9fa1b5a8d54d33e7026b994f0ed9

SHA1
d1b576a121fcf4525a4b5763abb94578b36c8d3f

SHA256
ca75e7e4dac593a0f495b92820d5e8abbcbca7fd0f2331b2babb7bf7f29b0499

SHA512
a6fcfc470e86fd2de65e782535a7c15b499faf0bf7fc4da0d131e008868dbfa8aa45f3826d8ee0248744bcf10c5ffc3438bb1b82ef6c320984a9972d16565be3

Download Submit
C:\Users\Admin\AppData\Roaming\856D.985

Filesize
1KB

MD5
626ca8f3792894c9961e02be96772765

SHA1
af1da5ce3ca0137a04706ff5ad2d045442edec91

SHA256
1de984cbf254793bc3063096bddd09be0eb94ee8951897ba0446746776bcf809

SHA512
6c61e981b9b607fbe65299ffe742175ba758f67949586a881f7a6b9a2bbc795db2a938d66c5750dfa1a67923efb6e95bb75cbc817e8876f8720647c0dbbd4975

Download Submit
C:\Users\Admin\AppData\Roaming\856D.985

Filesize
897B

MD5
c4d5b4dfec173d7539639097544e8500

SHA1
08e84198dc0c64c2e4dc1d7d0f383174e6cd51ee

SHA256
7374013f440b1df211de7ecef92e3e67bbce538f5342f78ebee49b62a09df709

SHA512
336c781efb9aa1879b361d980414011c3ab82edeb5c3cb2e0b0b369bc3f39266654cbc3b72c2f6d1238aef1d916289dc4006a4682ad079b3cf21db2c4ceeaf17

Download Submit
memory/3464-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3464-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3464-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5548-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5548-125-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5880-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5880-53-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5880-221-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing